Red Hat · Keycloak · CVE-2026-9796
**Name of the Vulnerable Software and Affected Versions**
Keycloak (affected versions not specified)
**Description**
An authenticated administrator possessing the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) flaw in name-based admin role checks. TOCTOU is a race condition where a system checks a condition and then uses the result of that check, but the condition changes between the check and the use. This allows an attacker to escalate privileges to `realm-admin` for all users within the realm, providing extensive system control. The composite role relationship remains active even after the attacker's permissions are revoked or the system is rebooted.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.